CVE-2017-8408

Name of the Vulnerable Software and Affected Versions D-Link DCS-1130 devices (affected versions not specified)

Description An issue was discovered on D-Link DCS-1130 devices, where the device provides a user with the capability of setting a SMB folder for the video clippings recorded by the device. The GET parameters passed in this request result in being passed as commands to a "system" API in the function, thus resulting in command injection on the device. The binary "cgibox" contains the vulnerable function "sub 7EAFC" that receives the values sent by the GET request. The value set in GET parameter user is extracted in function sub 7E49C which is then passed to the vulnerable system API call.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.